Entuthukweni yakamuva, i-Cybersecurity and Infrastructure Security Agency (CISA) yase-US ikhombe ubungozi obubalulekile kusofthiwe ye-imeyili ye-Roundcube, eqokwe njenge-CVE-2023-43770. Lokhu kuba sengcupheni, okuhlukaniswe njengephutha le-cross-site scripting (XSS) nesikolo se-CVSS esingu-6.1, kusetshenziswe kabi endle. Le ndatshana izocubungula imininingwane ye-CVE-2023-43770, imiphumela yayo engaba khona, izinguqulo ezithintekile, nezinyathelo zokulungisa ezinconywe iziphathimandla ze-cybersecurity.
Imininingwane ye-CVE-2023-43770
I-CVE-2023-43770 igxile ekuphathweni kabi kwama-linkrefs emilayezweni yombhalo engenalutho ngaphakathi I-Roundcube Webmail yesikhulumi. Leli phutha lidala indlela engaba khona yokuhlaselwa kwe-cross-site scripting (XSS), okubeka engcupheni enkulu yokudalulwa kolwazi ngezithenjwa zezixhumanisi ezinonya. Nakuba imininingwane ethile yokuxhashazwa ingadalulwanga, ubukhali bobungozi be-XSS bugcizelela ukuphuthuma kwesenzo esisheshayo.
Ukuba sengozini kuthinta izinguqulo ze-Roundcube zangaphambi kuka-1.4.14, 1.5.x ngaphambi kuka-1.5.4, kanye no-1.6.x ngaphambi kuka-1.6.3. Abanakekeli be-Roundcube baphendule ngokushesha ngokukhipha inguqulo 1.6.3 ngoSepthemba 15, 2023, ekhuluma futhi enciphisa ukuba sengozini okuhlonziwe. Ikhredithi yokutholwa nokubikwa kwe-CVE-2023-43770 iya kumcwaningi wezokuphepha we-Zscaler uNiraj Shivtarkar.
Imiphumela kanye Nabalingisi Abangase Basongele
Izehlakalo ezedlule zibonise ukuthi ubungozi beklayenti le-imeyili elisekelwe kuwebhu bungaba yisikhali esikhethwayo sabalingisi abasabisayo. Amaqembu aphawulekayo, njenge-APT28 ne-Winter Vivern, asebenzise ubungozi obufanayo esikhathini esidlule. Imiphumela engaba khona yokuxhashazwa kwe-CVE-2023-43770 ihlanganisa ukufinyelela okungagunyaziwe, ukuntshontshwa kwedatha, kanye nokuphazanyiswa okungenzeka kolwazi olubucayi. Ukuphuthuma kwabasebenzisi nezinhlangano ukuthi basebenzise izinyathelo zokuphepha ngeke kugcizelelwe.
Impendulo kanye Nokunciphisa
Ngokuphendula usongo oluhlonziwe, i-US Federal Civilian Executive Branch (FCEB) ikhiphe umyalelo wokusetshenziswa kwezixazululo ezihlinzekwe ngumthengisi ngoMashi 4, 2024. Lo myalelo uhlose ukuqinisa ukuphepha kwenethiwekhi nokuvikela izinsongo ezingaba khona ze-inthanethi ezivela ku-inthanethi. ukuba sengozini kwe-CVE-2023-43770.
Imikhuba Engcono Kakhulu Yokuvimbela
Ukuvimbela ukutheleleka okuzayo kudinga indlela esebenzayo ekuvikelekeni kwe-inthanethi. Cabangela imikhuba emihle elandelayo:
- Gcina Isofthiwe Ibuyekeziwe: Njalo buyekeza i-Roundcube nenye isofthiwe kuzinguqulo zakamuva ukuze uvale ubungozi futhi uthuthukise ukuphepha.
- Sebenzisa Iziqephu Zokuvikela: Faka amapeshi nezibuyekezo ezihlinzekwe abathengisi be-software ngokushesha ukuze ubhekane nobungozi obuhlonziwe.
- Ukuqeqeshwa Kokuqwashisa Umsebenzisi: Qeqesha abasebenzisi ukuthi babone futhi babike ama-imeyili asolisayo noma imisebenzi ukuze kuncishiswe ingcuphe yokuba yisisulu sokuxhaphaza.
- Isegimenti Yenethiwekhi: Sebenzisa ukuhlukaniswa kwenethiwekhi ukuze ukhawulele umthelela ongaba khona wokuhlasela okuphumelelayo futhi uqukathe ukusabalala kwezinsongo.
Isiphetho
Ukuxhashazwa kwe-CVE-2023-43770 ku-software ye-imeyili ye-Roundcube kugqamisa isimo esishintshayo sosongo kanye nesidingo sezinyathelo eziqinile zokuphepha ku-inthanethi. Abasebenzisi nezinhlangano kufanele zisebenze ngokushesha ukuze zisebenzise iziqephu zokuphepha ezidingekayo, zibuyekeze isofthiwe, futhi ziqwashise abasebenzisi ukuze kwehliswe ingcuphe yokuba sengozini yokuba sengozini yokulimala okunjalo. Imizamo yokubambisana yabacwaningi bezokuphepha, abathengisi besofthiwe, kanye neziphathimandla ze-cybersecurity idlala indima ebalulekile ekuvikeleni izindawo zedijithali ngokumelene nezinkinga ezivelayo. izinsongo ze-cyber.